Interactive Cockpits Applications: Specification, Prototyping and Validation using a Petri-nets based Formalism Arnaud Hamon, Célia Martinie, Philippe Palanque, Eric Barboni, David Navarre, Adrienne Tankeu-Choitat To cite this version: Arnaud Hamon, Célia Martinie, Philippe Palanque, Eric Barboni, David Navarre, et al.. Interactive Cockpits Applications: Specification, Prototyping and Validation using a Petri-nets based Formalism. Embedded Real Time Software and Systems (ERTS2012), Feb 2012, Toulouse, France. hal-02189909 HAL Id: hal-02189909 https://hal.archives-ouvertes.fr/hal-02189909 Submitted on 20 Jul 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Interactive Cockpits Applications: Specification, Prototyping and Validation using a Petri-nets based Formalism Arnaud Hamon, Célia Martinie, Philippe Palanque, Eric Barboni, David Navarre, Adrienne Tankeu- Choitat ICS-IRIT University Paul Sabatier (Toulouse 3), 118, route de Narbonne, 31062 Toulouse Cedex 4, France {lastame}@irit.fr ABSTRACT several problems that have to be taken into account with The purpose of ARINC 661 specification is to define appropriate precautions. Questions such as: what kind of interfaces to a Cockpit Display System (CDS) which is used in interactive components should be used in a cockpit? How to many types of aircrafts cockpits such as A380 from Airbus, design such embedded interactive applications? What is the B787 from Boeing or Falcon 2000D from Dassault Aviation. impact of such interaction techniques on the reliability of the ARINC 661 provides precise information for communication application? What is the impact on the certification process? protocol between application (called User Applications) and Such questions have been raised since the mid 90s and there is user interface elementary components (called widgets). It also already an ongoing standardization process. ARINC provides a detailed description of the widgets themselves specification 661 (see next section), aims at providing a (attributes, events …). However, in ARINC 661, very little common ground for building interactive applications in the information is given about the behaviour of these widgets and field of aeronautical industry. However, this standard only about the behaviour of an application made up of a set of such deals with part of the issues raised. The aim of this paper is to widgets. This paper presents a quick overview of the formal propose a formal description technique to be used as a description technique called Interactive Cooperative Objects complement to ARINC 661 for the specification, design, (ICOs) and its application for modelling the various elements implementation and validation of interactive application. of ARINC 661 specification. This formal description technique defines (in a precise and non-ambiguous way) all the The paper is structured as follows. Next section introduces elements of an interactive application compliant with ARINC ARINC 661 specification to define interfaces for a Cockpit 661 specification and especially their behavioural aspects Display System. It presents the content of the specification but which is definitively overlooked in the standard. The also the parts that are left underspecified and that be dealt with application of the formal description technique is shown on an precisely in order to build ARINC-661-compliant interactive interactive application to be used in an interactive cockpit. applications. Section 3 presents the ICO formalism, a formal This application supports pilots’ activities while cooperating description technique for the design of safety critical with Air Traffic Controllers (ATC) using a Data-Link (DL) interactive applications. This description technique has already communication technology. Such communication must follow been applied in the field of Air Traffic Control application. Its a predefined protocol called CPDLC (Control-Pilot Data Link applicability to cockpit display system and its compatibility Communication). Using this application as a case study, we with ARINC specification 661 is presented in section 4 by present how ICOs are used for modelling Interactive Widgets, means of a case study. This case study is used in the context of User Applications and User Interface servers (in the ARINC a ground-air data-link communication application embedded in 661 specification context). Lastly, we present briefly how such the MCDU (Multifunction Control and Display Unit) models can be exploited for verification and validation equipment. Last section of the paper deals with conclusions purposes of interactive cockpits applications. and perspectives to this work. Keywords ARINC 661 ARINC 661, Formal methods, Interactive Systems Purpose and Scope INTRODUCTION The purpose of ARINC 661 specification (ARINC 661, 2002) Interactive applications embedded in cockpits, is the current is to define interfaces to a Cockpit Display System (CDS) used trend of evolution promoted by several aircraft manufacturer in all types of aircraft installations. Among the objectives of both in the field of civil and military systems (Faerber et al. this standard we find: 2000, Marrenbach & Kraiss 2000). With respect to technology • The minimization of the cost of adding new display function currently deployed this evolution might be seen as a small step to the cockpit during the life of an aircraft. forward. Reality is very different. Embedding interactive • The introduction of interactivity in the cockpit, providing a application in civil and military cockpit is expected to provide basis to standardize the Human Machine Interface (HMI) in significant benefits to the pilots by providing them with easier the cockpit. to use and more efficient applications increasing the communication bandwidth between pilots and systems. ARINC 661 defines two interfaces between the CDS and the However, this technological enhancement comes along with aircraft systems to provide a clear separation between them. The first interface is between the avionics equipment and the display system graphics generators, and the second is a way to The main drawback of this description is the lack of define the symbology and its related behavior. The CDS description of the behaviour itself. Even if states are partially provides graphical and interactive services to user applications described, dynamic aspects such as state changes are (UA) within the flight deck environment. A user application is informally described. then defined as a system that has a two way communication As stated in ARINC 661, the main paradigm is here based on with the CDS: this observation: • Transmission of data to the CDS, which can be displayed to the flight deck crew. “A UA should not have any direct access to the visual • Reception of input (as events) from interactive items representations. Therefore, visual presentations do not managed by the CDS. have to be defined within the ARINC 661 interface protocol. Only the ARINC 661 parameter effects on In the field of interactive systems engineering, interactive graphical representation should be described in the software architectures such as Seeheim (Pfaff 83) or Arch ARINC 661 interface. The style guide defined by the (Gram & Cockton 96) promote a separation of the interactive OEM should describe the “look and feel” and thus, system in at least three components: presentation part (in provide necessary information to UAs for their HMI charge of presenting information to and receiving input from interface design.” the users), dialogue part (in charge of the behaviour of the That implies to clearly define the communication between system i.e. describing the available interface elements objects (widgets and UAs), and clearly define the impact of according to the current state of the application) and functional state changes on the presentation of these objects. core (in charge of the non interactive functions of the system). As ARINC 661 is devoted to be used in aircraft cockpit, the The CDS part may be seen as the presentation part of the certification problems are raised. Therefore our main whole system, provided to crew members, and the set of UAs contribution is to use an already existing formal description may be seen as the merge of both the dialogue and the technique (ICO) to precisely raise ambiguities in ARINC 661. functional core of this system. ARINC 661 dissociates, on one side, input and output devices (provided by avionics ICO FORMALISM equipment manufacturers) and on the other side the user applications (designed by aircraft manufacturers). Consistency Informal Presentation between these two parts is maintained through the The aim of this section is to recalls the main features of the communication protocol defined by ARINC specification 661. ICO (Interactive Cooperative Objects) formalism that we have proposed for the formal description of interactive system. The What may be found in ARINC specification 661 is: formalism will be used for the case studies and performance • The definition of the software interface between the CDS